Alpin is now CoreSaaS.
In 2018, GDPR enforcement actions began trickling out from various EU data protection agencies. We want to give people a way to know who was fined, when, and why. This list focuses on major fines of at least €100,000.
Did we miss one? Let us know.
Major GDPR fine count:
- 2020: 6
- 2019: 31
- 2018: 1
- Total: 38
Major GDPR fine total in Euros (approximate due to currency conversion):
- 2020: € 56,172,946
- 2019: € 440,515,407
- 2018: € 400,000
- Total: € 497,088,353
2020 Major GDPR Fines
The Dutch Data Protection Authority fined an unnamed company for unlawfully using fingerprint scans of its employees for its attendance and timekeeping records. The DPA stated that “A fingerprint cannot be replaced, unlike a password. If something goes wrong, the impact can be huge and have a lifelong negative effect on the person concerned.”
The Personal Data Protection Authority of Croatia fined an unnamed bank for failing to provide access to the personal information of approximately 2,500 individuals who had requested visibility into their data at the bank.
The Data Protection Authority of Sweden fined Google for failing to remove the personal information of various individuals who had requested exclusion from Google search results.
The Dutch Data Protection Authority fined the tennis association for selling the personal data of more than 350,000 association members to sponsors. These sponsors then contacted some of the members by mail and telephone for marketing purposes. The Authority rejected the tennis association’s argument that it had a legitimate business interest in selling the information.
The Spanish Data Protection Agency imposed a fine on Vodafone España because the telephone operator was unable to prove that it had received consent from an individual to process that individual’s personal data, and was unable to prove that the individual had ordered service from the company. Further, the company disclosed the personal data to several credit agencies.
The Italian Data Protection Authority (Garante) fined TIM, a telephone network operator, for a variety of unlawful actions associate with marketing and advertising campaigns affecting several million people. These included making unsolicited promotional calls, enrolling people in prize competitions without their consent, ignoring do-not-call exclusion requests even after 155 calls were made to one individual. TIM lacked policies, systems, and management to properly conduct operations.
2019 Major GDPR Fines
The Hellenic Data Protection Authority imposed a fine because this company did not inform data subjects that their data would be processed and stored on company servers, failed to impose technical measures to secure the processing of this data, and failed to separate the software from the data, possibly allowing companies outside the Aegean Marine Petroleum Group to access these servers and the personal data on those servers.
The Information Commissioner fined this pharmacy operator €320,000 for failing to ensure information security – specifically, storing approximately 500,000 documents containing personal data including medical information in unsealed containers placed behind a building, resulting in water damage to the documents.
The Italian Data Protection Authority (Garante) imposed two fines totaling €11.5 million on Eni Gas and Luce. The €8.5 million fine was imposed because the company unlawfully processed personal data during an advertising campaign and had poor controls over and protections of personal data.
The Italian Data Protection Authority (Garante) imposed two fines totaling €11.5 million on Eni Gas and Luce. The €3 million fine was imposed because the company activated unsolicited contracts, some of which may have included forged signatures.
Personal information was available to anyone who provided the name and data of birth of a customer. The fine would have been much higher, but the company cooperated closely with regulators to quickly address the issue.
An unnamed hospital sent invoices to the wrong patients, exposing personal information of other patients.
A 2016 data breach concerning 57 million Uber users, of which 174,000 were Dutch citizens, was not reported within 72 hours.
Cell center operators entered data into a CRM system. Some of those operators were located outside the EU, so there was unlawful data storage in countries that did not provide an adequate level of protection of personal data. Some of the data related to the health status of the people contacted, as well as offensive language. Further, the data subjects were not informed of the recording of the calls, or of any other processing of their personal data.
Dutch employee insurance service provider UWV did not apply multi-factor authentication when granting access to the online employer portal, so security was deemed insufficient.
Unlawful storage of personal information in an archive system that did not have an option to delete old data. The system contained sensitive information about former and current tenants.
The Austrian Post sold detailed personal profiles of approximately 3 million Austrians to various companies and political parties.
Bank employees sent personal information, without requesting permission from the affected individuals, to Vreau Credit (which was also fined €20,000), and did not evaluate the risks of taking these actions.
Did not delete personal information, and continued telemarketing after being notified by consumers to stop.
2.2 million people’s personal information was accessed because it was poorly protected.
The company did not delete information of dormant customers, and continued sending unsolicited advertising emails.
Records of 6 million people was accessed in a security breach.
Tens of thousands of bank customer records were stolen because of poor system design and process execution.
PWC required its employees to sign a blanket consent for PWC to process their data. The regulator determined that there was an imbalance of power in the company-employee relationship, and that the consent was therefore not binding. Further, the regulator determined that the company gave the false impression that it was processing the data legally.
Exposed personal information through poor security. This was discovered by a customer, who found that personal data of other customers, including their driver’s licenses, registration cards and bank identification records, could be seen by simply changing the numbers at the end of the URL.
After acquiring its competitor Starwood, Marriott discovered Starwood’s central reservation database had been hacked. This included 5 million unencrypted passwords and 8 million credit card records. The hack was ongoing from 2014 to 2018. The breach impacted 30 million EU residents.
As a result of an attack on British Airways’ website, about 500,000 customer records were extracted by a malicious third party. The UK’s data protection agency claims BA’s website was compromised due to poor cyber security arrangements. This would represent the largest GDPR fine to date.
Revealed personal information such as the national identification number and the postal address of the payment issuers to the payment recipients. 337,042 individuals were affected between February and December 2018.
A Dutch hospital was fined over lax controls over logging and access to patient records. In one instance, 197 employees accessed one Dutch celebrity’s medical records.
The soccer league was accused of listening for piracy through its smartphone application. La Liga turned on user microphones in order to listen for sounds of the soccer game and match to any pirated stream using geolocaton. La Liga used the information to sue 600 bars for pirating soccer games.
Did not delete personal information of 385,500 dormant customers.
The real estate company’s website easily allowed accessing other individual’s information by changing the URL, making ID cards, tax notices, and other important documents available. The lack of user authentication resulted in the fine.
The personal data of 35,000 student accounts was stolen even after warnings were issued to the organization.
Exposed 63,000 students’ information in a mobile app that was not designed or tested to secure personal information.
This data process was fined because they scraped the internet for public contacts, amassing data on 6 million people. They did not inform these people that their data would be processed, and the company conducted commercial outreach to over 90,000 people, 12,000 of which objected to unauthorized use of their data.
As a result of a random audit, this taxi operator was found to have over 9 million personal records the company had stored unnecessarily. The fine came as a result of a failure to delete this unused contact information.
Google was fined from France’s data regulator, citing a lack of transparency and consent in advertising personalization, including a pre-checked option to personalize ads.
2018 Major GDPR Fines
Staff at the hospital used bogus accounts to access patient records.
October, 2018 (UPDATE May, 2020)
We include this small fine, since it was the first. A local business had a CCTV camera capturing too much public space.
However, in May, 2020, the company succeeded in appealing the decision, and the Austrian Federal Administrative Court annulled the administrative penalty imposed by the Austrian Data Protection Authority due to procedural irregularities.
Alpin helps companies discover and manage their SaaS vendors. As part of that effort, we work to track the GDPR compliance status of a large number of vendors, so that you can see if your vendor are compliant. And we stay up-to-date on GDPR news, too.